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Abstract  With  the  growth  of  cloud  computing,  many 
businesses,  both  small  and  large,  are  opting  to  use  cloud  services 
compelled  by  a  great  cost  savings  potential.  This  is  especially  true 
of  public  cloud  computing  which  allows  for  quick,  dynamic 
scalability  without  many  overhead  or  long  term  commitments. 
However,  one  of  the  largest  dissuasions  from  using  cloud  serv  ices 
conies  from  the  inherent  and  unknown  danger  of  a  shared 
platform  such  as  the  hypervisor.  An  attacker  can  attack  a  virtual 
machine  (VM)  and  then  go  on  to  compromise  the  hypervisor.  If 
successful,  then  all  virtual  machines  on  that  hypervisor  can 
become  compromised.  This  is  the  problem  of  negative 
externalities,  where  the  security  of  one  player  affects  the  security 
of  another.  This  work  shows  that  there  are  multiple  Nash 
equilibria  for  the  public  cloud  security  game.  It  also 
demonstrates  that  we  can  allow  the  players'  Nash  equilibrium 
profile  to  not  be  dependent  on  the  probability  that  the  hypervisor 
is  compromised,  reducing  the  factor  externality  plays  in 
calculating  the  equilibrium.  Finally,  by  using  our  allocation 
method,  the  negative  externality  imposed  onto  other  play  ers  can 
be  brought  to  a  minimum  compared  to  other  common  VM 
allocation  methods. 
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I.  Introduction 

Cloud  computing  is  quickly  becoming  a  standard  resource 
in  the  IT  toolbox  and  shows  no  signs  of  slowing  down.  It  is 
predicted  that  “By  2017,  nearly  two  thirds  of  all  workloads 
will  be  processed  in  the  cloud”  as  well  as  a  growth  of  cloud 
traffic  of  370%  from  2012  2017  [10].  Given  this  astounding 
growth,  it  becomes  exceedingly  challenging  for  security  to 
keep  pace.  This  is  especially  true  since  demand  for  security 
can  often  be  overlooked  by  clients  in  favor  of  performance 
and  reliability  since  security  is  difficult  to  quantify  and  holds 
less  tangible  benefits  than  the  former.  However,  the  current 
issues  surrounding  cloud  security  are  still  very  apparent. 
Security  aware  companies  are  still  fearful  over  the  theft  of 
confidential  or  sensitive  data,  which  poses  as  a  “significant 
barrier  to  the  adoption  of  cloud  services”  [1 5]. 

The  argument  of  lacking  security  measures  in  the  cloud 
holds  a  lot  of  ground.  Many  providers  do  not  even  know  the 
extent  of  the  security  vulnerabilities  and  this  issue  is 
compounded  by  the  unique  structure  of  the  cloud.  Many 
different  users  run  virtual  machines  on  the  same  physical 
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hardware  which  can  allow  an  attacker  to  proliferate  his  attack 
throughout  the  hypervisor  and  onto  all  VMs  running  on  that 
hypervisor.  In  this  way,  one  user’s  VM  may  be  susceptible  to 
an  indirect  attack  when  a  direct  attack  is  launched  on  a 
different  user’s  VM  on  the  same  hypervisor.  This  is  possible 
based  on  unknown  security  vulnerabilities  of  the  hypervisor, 
which,  once  compromised,  can  allow  an  attacker  to  target 
every  VM  on  the  targeted  hypervisor  [11].  This  phenomenon 
is  not  prevalent  in  traditional  networks,  where  an  attacker 
must  use  a  multi  hop  method  to  indirectly  attack  a  victim. 
Thus,  this  interdependency  between  users  on  the  same 
hypervisor  is  a  unique  challenge  to  cloud  computing 
providers:  how  to  allocate  virtual  machines  for  optimum 
security. 

In  a  cloud  setting,  an  attacker  can  launch  an  indirect  attack 
on  User  j  by  first  compromising  the  VM’s  of  User  /,  going 
through  the  hypervisor,  and  then  compromising  the  VM’s  of 
User  j.  This  creates  a  risk  connection  where  the  security  of 
User  j  is  dependent  on  User  /  and  vice  versa.  This  especially 
true  if  there  is  a  large  difference  in  the  potential  total  loss  that 
can  be  suffered  by  User  /  and  j,  since  the  larger  of  the  users 
could  be  discouraged  from  using  the  cloud  since  its  potential 
loss  is  much  greater.  With  only  56%  of  cloud  users  saying 
they  trust  cloud  providers  with  sensitive  information  and  an 
even  smaller  30%  knowing  what  measures  cloud  providers 
actually  use  for  security,  this  problem  is  still  very  evident  [12]. 
Due  to  the  interdependent  nature  of  the  cloud  users,  we  may 
use  game  theory  to  model  their  choices.  This  is  possible  since 
game  theory  is  the  “mathematical  models  of  conflict  and 
cooperation  between  intelligent  rational  decision  makers.” 
[13] 

There  are  several  contributions  this  paper  makes.  First,  its 
focus  is  on  modeling  the  choices  of  several  rational  players  in 
the  cloud  within  a  game  theoretical  framework.  We  also 
propose  that  the  solution  to  the  externality  problem  in  [1]  is 
through  effective  VM  allocation  management  of  the  cloud 
provider  to  ensure  delivery  of  maximum  security  for  all  cloud 
users.  Along  with  solving  the  externality  problem  generated 
inherently  by  the  cloud,  our  paper  also  provides  the  proof  that 
Nash  equilibrium  will  be  the  optimal  solution  for  our  model. 
We  wish  to  use  the  knowledge  gained  from  this  model  to 
influence  cloud  providers  to  make  optimal  security  based 
virtual  machine  allocation  decisions. 


556  computer 

society 


Form  Approved 
OMB  No.  0704-0188 


Report  Documentation  Page 


Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 
VA  22202-4302  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number 


1.  REPORT  DATE 

13  JAN  2015 

2.  REPORT  TYPE 

3.  DATES  COVERED 

00-00-2015  to  00-00-2015 

4.  TITLE  AND  SUBTITLE 

Security-aware  Virtual  Machine  Allocation  in  the  Cloud:  A  Game 
Theoretic  Approach 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Air  Force  Research  Laboratory  information  Directorate,  Cyber 

Assurance  Branch„Rome„NY 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS (ES) 

10.  SPONSOR/MONITOR’S  ACRONYM(S) 

11.  SPONSOR/MONITOR’S  REPORT 
NUMBER(S) 


12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

2015  IEEE  8th  International  Conference  on  Cloud  Computing 

14.  ABSTRACT 

With  the  growth  of  cloud  computing,  many  businesses,  both  small  and  large,  are  opting  to  use  cloud 
services  compelled  by  a  great  cost  savings  potential.  This  is  especially  true  of  public  cloud  computing  which 
allows  for  quick,  dynamic  scalability  without  many  overhead  or  long-term  commitments.  However,  one  of 
the  largest  dissuasions  from  using  cloud  services  comes  from  the  inherent  and  unknown  danger  of  a  shared 
platform  such  as  the  hypervisor.  An  attacker  can  attack  a  virtual  machine  (VM)  and  then  go  on  to 
compromise  the  hypervisor.  If  successful,  then  all  virtual  machines  on  that  hypervisor  can  become 
compromised.  This  is  the  problem  of  negative  externalities,  where  the  security  of  one  player  affects  the 
security  of  another.  This  work  shows  that  there  are  multiple  Nash  equilibria  for  the  public  cloud  security 
game.  It  also  demonstrates  that  we  can  allow  the  players???  Nash  equilibrium  profile  to  not  be  dependent 
on  the  probability  that  the  hypervisor  is  compromised,  reducing  the  factor  externality  plays  in  calculating 
the  equilibrium.  Finally,  by  using  our  allocation  method,  the  negative  externality  imposed  onto  other 
players  can  be  brought  to  a  minimum  compared  to  other  common  VM  allocation  methods. 


15.  SUBJECT  TERMS 


16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 
ABSTRACT 

18.  NUMBER 
OF  PAGES 

19a.  NAME  OF 
RESPONSIBLE  PERSON 

a  REPORT 

unclassified 

b  ABSTRACT 

unclassified 

c  THIS  PAGE 

unclassified 

Same  as 
Report  (SAR) 

9 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


Section  II  will  focus  on  related  works  and  how  this  paper 
differentiates  from  them.  Section  III  will  elaborate  on  the 
cloud  architecture  common  to  many  cloud  structures  that  will 
be  used  in  our  game  model.  Section  IV  will  be  the  set  up  of 
the  game  model  and  diagram  the  game  in  normal  (matrix) 
form.  After  analyzing  the  game  result  in  Section  V  in  the 
simplest  case,  we  will  extend  our  model  in  Section  VI.  Section 
VII  will  present  numerical  results  and  compare  our  model’s 
negative  externality  to  other  common  allocation  methods. 
Section  VIII  concludes  the  paper. 

II.  Background  &  Related  Work 

A  major  issue  in  cloud  computing  is  how  the  cloud 
provider  will  allocate  the  virtual  machine  instances  created  by 
a  constant  stream  of  clients.  There  are  many  ways  to  go  about 
this  problem  that  has  been  looked  at  in  previous  papers.  Many 
of  the  solutions  offered  are  virtual  machine  allocation  based 
on  load  balancing  techniques,  energy  consumption,  or  both. 
[2]  [5]  [8]  [9].  Wei  et  al.  [5]  use  game  theory  in  order  to 
maximize  the  efficiency  of  resources  within  a  cloud 
computing  environment.  Beloglazov  et  al.  [9]  offered  several 
algorithmic  solutions  rooted  in  heuristics  for  energy  and 
performance.  Jing  Xu  and  Jose  A.  B.  Fortes  [2]  introduced 
several  algorithms  to  achieve  allocative  efficiency  such  as 
Beloglazov  et  al.  did.  Jalaparti  et  al.  [8]  attempted  to  solve  the 
issue  of  cloud  resource  allocation  with  game  theory  similar  to 
Wei  et  al.  They  sought  to  model  the  intricate  client  to  client 
and  client  to  provider  interactions  using  game  theory. 

Game  theory  has  also  been  applied  to  cloud  computing  in 
certain  aspects,  including  infrastructure  resilience  [3],  cloud 
usage  pricing  [4],  and  virtual  machine  allocation  [5],  [6]  [8]. 

Han  et  al.  [6]  demonstrated  a  new  method  of  infiltration 
that  can  be  exploited  through  the  cloud  and  not  traditional 
computing:  through  side  channels.  This  gives  rise  to  new  risks 
as  hardware  to  create  VM’s  is  shared  between  users,  which 
attackers  can  exploit.  By  starting  a  VM  in  the  same  server  as  a 
target  user,  an  attacker  can  siphon  sensitive  information  from 
them,  including  web  traffic  and  even  encryption  keys.  This 
paper  uses  game  theory  to  find  the  best  method  for  mitigating 
such  attacks  that  have  been  shown  to  have  a  40%  success  rate 
of  VM’s  achieving  co  location  with  the  target  users  VM  [7]. 

Rao  et  al.  [3]  studied  the  ability  of  a  cloud  computing 
entity  within  the  framework  of  game  theory  to  provide  a  given 
capacity  C  at  a  certain  probability  P  given  a  physical  or  cyber 
attack  on  their  infrastructure.  A  simple  game  was  set  up  in 
which  a  cloud  provider  with  a  certain  amount  of  servers  S  was 
to  defend  against  an  attacker  attacking  these  servers.  Among 
the  possible  ways  to  mitigate  attack  was  for  the  provider  to 
use  reinforcement  strategies,  which  decreased  attacker  utility. 
It  was  concluded  through  several  tests  that  the  survivability  of 
an  attack  (the  ability  to  operate  at  capacity  C  under  probability 
P )  was  heavily  influenced  by  the  cost  of  defense  and  the  cost 
of  an  attack.  If  the  cost  of  a  defense  is  high,  then  the  provider 
chooses  to  defend  the  sites  and  thus  the  survivability  was  0  in 
this  case  due  to  an  attack. 

Kunsemoller  and  Karl  [4]  examined  the  economics  of 
cloud  computing  and  its  viability  for  a  given  business  to  use. 


Game  theory  was  specifically  used  to  model  a  few 
circumstances  in  which  it  would  be  economically  beneficial  to 
use  cloud  services.  Payoff  for  the  provider  is  clearly 
maximized  if  they  charge  the  highest  price  in  which  there  is  a 
cost  benefit  for  the  client  to  use  cloud  services,  or  the 
breakeven  point. 

Outside  of  game  theory  or  VM  allocation,  another 
important  work  includes  Ristenpart  et  al.  [7]  and  their  work  on 
discovering  new  vulnerabilities  in  the  cloud  structure.  They 
looked  at  the  idea  of  co  resident  attacks  on  virtual  machines 
within  the  cloud  network.  Unlike  any  predecessor,  however, 
this  paper  used  empirical  evidence  and  actual  data  from 
running  experiments  on  the  Amazon  EC2  cloud.  They  began 
by  running  all  5  instance  types  that  EC2  offers  across  3 
available  placement  zones  within  the  cloud.  From  this  it  was 
determined  that  IP  assignment  is  very  uniform  in  that  IP 
addresses  are  partitioned  by  availability  zones  (most  likely  to 
make  it  each  to  manage  separate  network  connectivity  for 
these  zones).  Using  this  information,  there  was  a  test  to 
determine  co  residence  on  network  based  technology  (it  was 
also  shown  that  this  type  of  technology  need  not  be  used). 
Eventually  it  was  shown  that  an  efficient  attacker  can  achieve 
co  residence  up  to  40%  of  the  time  an  attack  is  launched. 
Once  co  residence  was  achieved,  several  methods  could  be 
used  to  extract  information  from  or  damage  the  victim.  This 
included  measuring  cache  usage,  launching  DOS  attacks, 
keystroke  timing  attacks,  stealing  cryptographic  keys  and 
estimating  traffic  rates.  It  was  concluded  that  currently  for 
unconditional  security  against  cross  VM  attacks,  one  must 
avoid  co  residence. 

Kamhoua  et  al.  [1]  viewed  attacks  on  the  hypervisor  and 
compromising  virtual  machines  from  a  game  theoretical 
perspective.  One  of  the  larger  issues  presented  in  [1]  is  also 
present  in  this  paper:  interdependency.  Interdependency  in  [1] 
dealt  mainly  with  the  issue  of  one  user’s  lack  of  investment 
compromising  the  security  integrity  of  another  user  on  the 
same  hypervisor  since  an  attack  on  the  hypervisor  may 
propagate  to  other  users.  This  is  also  present  in  the  current 
paper  but  emphasized  to  a  much  lesser  extent  and  is  not  the 
main  focus.  Interdependency  in  general  still  plays  a  crucial 
role  in  both  papers,  however,  and  the  choices  of  the  players 
reflect  the  relevant  payoffs  of  the  other  players  as  well.  In  the 
current  paper  we  resolve  the  negative  externality  in  [1]  that 
one  player  imposes  on  another.  Our  solution  is  through 
effective  VM  allocation  management  of  the  cloud  provider  to 
ensure  delivery  of  maximum  security  for  all  cloud  users.  The 
negative  externalities  are  minimized  because  users  with 
similar  potential  loss  choose  to  be  located  on  the  same 
hypervisor.  This  is  one  of  the  main  contributions  of  our  paper. 

III.  System  Model 

A  public  cloud  infrastructure  that  is  running  on  Hypervisor 

has  n  users  that  are  denoted  as  User  Un,  U12  ...  Uln  whom 
each  run  virtual  machines  VMn,  VM12  ...  VMln.  Note  that  the 
first  subscript  states  which  hypervisor  each  user  is  located  on 
and  the  second  subscript  denotes  the  user  number.  For 
example,  the  first  user  operating  on  hypervisor  3  is  written  as 
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U3i  and  a  second  user  as  U32.  Additionally,  we  do  not  make 
the  distinction  between  the  cloud  tenant  and  user.  For  practical 
purposes,  the  tenant  is  the  true  entity  that  manages  the  VM’s 
as  a  liaison  while  the  ‘user’  in  cloud  terminology  is  the  end 
user  who  hires  the  tenant  and  benefits  from  the  cloud  (and  also 
the  one  to  realize  any  ill  effects  of  asset  loss).  We  will  assume 
that  the  cloud  tenant  will  act  in  good  faith  (and  do  what  is  the 
most  secure  or  best)  for  the  end  user  and  thus  the  remainder  of 
the  paper  will  refer  to  the  end  user  only.  Each  user  may  run 
multiple  virtual  machine  instances  (and  multiple  operating 
systems)  but  it  will  be  assumed  that  each  user  runs  one  VM 
for  simplification  purposes  as  it  will  be  shown  later  that 
multiple  VM’s  run  by  one  user  may  be  mathematically 
combined  into  one  VM.  The  number  of  applications  run  by  a 
user  will  also  not  impact  the  model.  Although  the  physical 
infrastructure  a  cloud  use  will  vary  (such  as  different 
hypervisors  like  Xen,  VMware,  KVM),  the  underlying 
principle  of  a  shared  platform  in  which  users  are  exposed  to 
collateral  damage  holds  true. 

It  is  evident  that  several  issues  arise  within  the  cloud 
infrastructure  once  this  model  is  examined.  Users  that  run  on 
the  same  hypervisor  are  susceptible  to  a  ‘bad  neighbor’  effect 
in  which  an  attacker,  who  has  compromised  one  user’s  VMs, 
may  transverse  across  the  hypervisor  to  launch  an  attack  on 
another  user’s  VMs  on  the  same  hypervisor.  This  is  the 
problem  of  interdependency.  We  hold  that  if  the  hypervisor  is 
compromised,  then  that  all  users  located  on  that  hypervisor 
will  be  compromised  (and  suffer  the  consequences)  as  well. 
This  is  because  once  an  attacker  compromises  the  hypervisor, 
all  VM’s  hosted  on  that  hypervisor  can  be  freely  compromised 
by  the  attacker.  However,  if  a  user  does  not  have  VMs  on  the 
same  hypervisor  than  the  one  being  targeted,  then  they  will 
not  suffer  the  consequences.  This  remark  will  play  an 
important  role  later  in  the  paper.  Section  IV  will  now  explain 
and  setup  the  problem  in  the  context  of  game  theory. 

IV.  Game  Model 

This  section  considers  four  players,  an  attacker  and  three 
users,  acting  across  two  hypervisors.  The  four  players  are 
assumed  to  be  rational,  and  that  they  all  have  an  understanding 
of  the  system  in  which  the  game  is  played.  Furthermore,  it  is 
expected  that  each  player  can  calculate  and  maximize  their 
payoff  (i.e.,  utility).  In  Section  VI  we  extend  the  problem  to  n 
players  and  m  hypervisors. 

Along  with  the  commonly  applied  game  theoretic 
assumptions  of  rationality  and  common  knowledge  of  the 
game’s  space,  we  further  assume  that  the  attacker  has  3 
strategies:  to  launch  an  attack  on  User  1  (this  strategy  will  be 
denoted  as  A7),  on  User  2  (A2)  or  on  User  3  (Aj).  The  attacker 
may  only  attack  one  user  directly  at  a  time.  The  strategy  to 
launch  an  attack  may  include  steps  such  as:  collecting 
information,  credential  compromising,  executing  attack 
payload,  establishing  backdoor,  and  scanning.  The  strategy  for 
the  User  2  is  binary  since  that  user’s  only  choices  are  to  invest 
(/)  in  security  or  to  not  invest  ( N)  in  security.  In  the  instance  of 
choosing  to  invest  in  security,  the  user  will  be  allocated  to 
hypervisor  2  (H2)  while  no  investment  in  security  will  result  in 


User  2  being  allocated  to  hypervisor  1  (H3).  The  user  that 
chooses  to  invest  may  take  multiple  courses  of  action, 
including  updating  software,  buying  new  antivirus  software, 
and  applying  stricter  system  monitoring.  In  this  way,  H2  is  the 
more  secure  platform  for  security  conscious  cloud  users.  It  is 
important  to  note  that  throughout  the  remainder  of  the  paper, 
we  shall  refer  to  users  that  invest  (do  not  invest)  in  cloud 
security  and  users  that  are  allocated  to  H2  (Hj) 
interchangeably. 

Furthermore,  User  1  will  automatically  be  allocated  onto 
H3  (no  investment  in  security )  and  User  3  will  be  allocated  to 
H2  (investment  in  security).  This  means  that  the  only  user 
making  a  choice  as  to  invest  in  security  or  not  will  be  User  2. 
Since  User  2  will  have  two  strategies  (/  or  N)  and  the  attacker 
has  three  strategies  (A7,  A2,  or  A3),  there  are  a  total  of  six 
possible  permutations  in  the  normal  form  game,  as  diagramed 
in  Table  1. 

The  reason  for  the  automatic  allocation  of  User  1  and  User 
3  is  as  follows:  It  is  assumed  that  the  relative  ‘importance’  of 
each  user  is  determined  by  the  total  maximum  loss  that  can  be 
suffered  by  the  user  if  compromised.  This  is  denoted  by 
Llf  L2,  and  L3  with  the  subscripts  corresponding  to  each 
respective  user.  This  means  that  if  User  l’s  virtual  machines 
were  compromised,  then  User  1  would  suffer  a  loss  totaling 
Lx.  Additionally,  we  assume  that 

L±<  L2  <  L3  (1) 

Which  implies  that  User  3  will  suffer  the  most  costly 
damage  (for  example,  through  loss  of  information,  trade 
secrets,  client  information,  etc.)  if  its  virtual  machines  are 
compromised,  and  User  1  the  least  amount  of  damage.  Since 
User  3  faces  the  biggest  potential  for  loss  and  User  1  the  least, 
it  is  logical  that  User  3  would  invest  into  security  (and  be 
allocated  to  H2)  and  that  User  1  would  not  invest  in  security 
(and  be  allocated  to  H3).  Thus,  the  only  cloud  user  making  an 
investment  choice  in  this  game  will  be  User  2.  The  sufficient 
conditions  under  which  User  1  and  3  will  always  be  allocated 
to  H3  and  H2,  respectively,  will  be  shown  in  the  model 
extension.  Additionally,  the  strategy  profile  for  the  game  is 
stated  in  Table  1  as  (attacker  strategy,  User  2  strategy).  For 
example,  the  profile  of  an  attacker  that  attacks  User  1  while 
User  2  invests  in  security  is  given  as  (A7,  I). 

The  probability  of  an  attack  that  is  successful  on  an 
individual  user  that  has  invested  in  security  is  given  as  qh  who 
pays  cost  e  for  his  investment.  If  they  have  not  invested  in 
security,  then  the  probability  of  compromise  is  qN  .  It  is 
assumed  that 

0  <  qj  <  qN  <  1  (2) 

Because  if  q7  >  qN  then  no  logical  user  would  choose  to 
invest  in  security  since  it  does  not  lower  their  chance  of  being 
compromised. 

The  probability  for  a  successful  attack  on  the  hypervisor 
after  one  of  its  VM  is  compromised  is  given  as  n,  where  we 
assume 

0  <  n  <  1  (3) 

It  is  strong  to  assume  that  there  will  be  no  chance  of  a 
successful  attack  on  the  hypervisor  (n  =  0),  especially  since 
the  current  hypervisor  security  situation  is  very  unclear  [11]. 
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We  also  consider  that  not  all  attacks  on  the  hypervisor  will 
definitively  allow  for  compromise  (n  =  1)  and  thus  Equation 
(3)  results.  Lastly,  it  is  assumed  that  the  reward  from  using 
cloud  services  (either  invested,  /,  or  not  invested  N)  is  given  as 
R.  This  could  include  monetary  savings  from  outsourcing  IT 
or  on  demand  resources  that  can  dynamically  change 
depending  on  the  relative  need. 

Looking  again  to  the  normal  form  game  on  Table  1,  the 
attacker’s  strategies  are  represented  in  the  row  (and  the  top 
equation  of  the  six  game  possibilities  gives  the  attacker’s 
payoff)  and  User  2’s  strategies  are  shown  on  the  column  (and 
the  bottom  six  equations  give  the  user’s  payoff).  Thus,  a  game 
profile  of  (Ah  I)  would  give  the  attacker  a  payoff  of  qNL±  and 
User  2  a  payoff  of  R  —  e. 

The  payoffs  are  calculated  as  follow,  taking  strategy 
profile  (Aj,  I)  as  a  first  example:  User  2  will  receive  reward  R 
from  using  the  cloud  services  (this  is  true  for  all  6  game 
possibilities)  and  will  pay  expense  e  for  the  cost  of  paying  for 
extra  security.  Since  User  2  is  not  being  attacked  directly  and 
is  located  on  the  different  hypervisor  from  what  is  being 
targeted,  the  user’s  expected  loss  from  a  successful  attack  is  0. 
Thus,  the  payoff  for  User  2  is  R  —  e.  Lor  the  attacker  targeting 
User  1,  since  User  1  has  not  invested  its  chance  of  being 
compromised  is  qN.  To  find  the  probabilistic  loss  of  User  1, 
we  must  multiply  the  chance  of  compromise  by  its  total 
possible  loss  (L±),  which  gives  an  expected  loss  of  qNL±. 
Since  User  1  is  the  only  user  located  on  the  first  hypervisor, 
the  total  gain  for  the  attacker  targeting  User  1  is  qNL±. 

Taking  the  strategy  profile  (A7,  N)  as  another  example,  we 
can  see  that  the  payoff  for  User  2  is  the  reward  R  minus 
qNnL2  .  The  quantity  qNL2  is  the  expected  loss  from  a 
successful  compromise  of  User  2.  However,  we  must  multiply 
this  quantity  by  n  since  User  2  is  not  a  direct  target  and  in 
order  to  be  compromised  the  attacker  must  first  compromise 
the  hypervisor.  If  User  2  was  the  main  target  of  the  attacker,  as 
seen  in  strategy  profile  (A2,  AO,  we  can  see  that  User  2’s 
payoff  is  the  reward  R  minus  the  expected  loss  qNL2  without 
the  value  n  since  the  attacker  need  not  go  through  the 
hypervisor  in  order  to  compromise  the  virtual  machines  of 
User  2  if  User  2  is  a  direct  target. 


Table  1:  Game  Model  in  Normal  Form 


User  2  | 

Attacker 

N 

I 

Ai 

<1nLi  +  qNnL2 

R  -  qNnL2 

QnL  i 

R-e 

a2 

qNL2  +  qNn^i 

R  —  qNL2 

qi^i  +  qinLs 
R-e-  q,L2 

A3 

97^3 

R 

97^3  +  qin^2 

R  —  e  —  q77rL2 

When  viewing  the  strategy  profile  (A2,  I)  from  the 
attacker’s  perspective  we  can  see  that  his  reward  is  twofold. 
His  payoff  from  attacking  User  2  is  qff2  (User  2’s  expected 
loss).  In  addition,  the  quantity  of  q77rL3  is  added  to  the 
attacker’s  payoff  since  User  3  lies  on  the  same  hypervisor  ( H2 ) 
as  User  2  even  though  User  3  is  not  directly  being  targeted  by 


the  attacker.  Since  User  3  is  not  a  direct  target,  and  the 
attacker  must  propagate  his  attack  through  the  hypervisor  first 
before  compromising  User  3.  As  a  result,  n  is  multiplied  to 
User  3’s  expected  loss  (giving  qInL3),  and  thus  the  total 
payoff  for  the  attacker  is  qjL2  +  qinL3.  Similar  methods  are 
used  to  derive  the  other  payoffs  for  all  of  the  other  profiles. 

V.  Game  Analysis 

In  this  analysis  we  seek  the  different  Nash  equilibrium 
from  the  game  model.  In  game  theory,  when  the  Nash 
equilibrium  profile  is  reached,  no  player  can  improve  his 
utility  by  unilaterally  deviating  from  the  result.  At  this  point, 
no  player  wants  to  change  their  strategy  since  it  is  the  best 
response  based  on  the  other  player’s  actions,  which  means  all 
players’  choices  are  in  a  Nash  equilibrium  profile.  In  this  way, 
Nash  equilibrium  can  predict  the  behavior  of  rational  agents. 

We  make  the  following  three  observations.  Lirst,  (Ah  N) 
cannot  be  a  Nash  equilibrium  since  the  attacker  can  improve 
his  utility  by  playing  A2.  Second,  (A2,  T)  cannot  be  a  Nash 
equilibrium  since  the  attacker  can  improve  his  utility  by 
playing  A3.  Third,  ( A3 ,  1)  cannot  be  a  Nash  equilibrium  since 
User  2  can  improve  his  utility  by  playing  N.  However,  we  can 


have  the  pure  strategy  Nash  equilibrium  profile  ( A3 ,  N ),  (A2, 
N)  and  ( A h  I)  under  the  specific  conditions  below. 

Theorem  1: 

Ifi3  >^(L2  +  nLx\  (4) 

Is  true,  then  the  strategy  profile  (A3,  N)  is  Nash  equilibrium 
of  the  game  in  Table  1. 

Theorem  2: 

If  £3  <qf(L2  +  nLj,  (5) 

and 

e  >  (3hv  —  qi)L 2>  (6) 

then  the  strategy  profile  (A2,  N)  is  a  Nash  equilibrium. 

Theorem  3: 

If  Li  >— (L3  +  ttL2)  (7) 

LqN  W 

and 

e  <  qNnl2  (8) 


Then  the  strategy  profile  (A7,  7)  is  a  Nash  equilibrium 
The  proof  of  those  Theorems  is  straightforward.  We  omit 
them  because  of  space  limitation.  If  none  of  the  conditions  of 
Theorems  1,  2  or  3  for  pure  Nash  equilibrium  are  fully  met, 
then  the  problem  admits  a  mixed  Nash  equilibrium. 

Mixed  Nash  Equilibrium 

A  mixed  Nash  equilibrium  is  different  from  pure  Nash  in 
the  sense  that  the  players  do  not  play  a  single  strategy  with  an 
absolute  certainty  but  rather  with  a  probabilistic  strategy  for 
each  choice.  Lor  example,  User  2  might  play  N  with 

3  1 

probability  -  and  I  with  probability  -.  The  conditions  and 
formulas  for  the  equations  of  mixed  Nash  will  be  shown. 

Theorem  4: 

If  the  following  3  conditions  hold: 

L3<^(L2  +  ttLJ,  (9) 

e  <  —  Qi)L 2>  (10) 
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C  <^(L3  +  nL2),  (11) 

Qn 

Then  the  game  admits  a  mixed  strategy  Nash  equilibrium. 


Proof: 

We  can  see  that  if  (11)  holds,  the  strategy  Aj  is  never  an 
optimum  and  is  not  needed  for  calculations  for  the  equations 
of  Nash  equilibrium.  Thus,  we  will  only  use  strategy  profiles 
A2  and  A3  for  the  attacker.  The  reasoning  given  is  as  follows: 
If  the  defender  (User  2)  chooses  to  not  invest,  the  attacker 
prefers  to  play  A2  because  Equation  (9)  holds.  When  the 
attacker  plays  A2,  the  defender  prefers  to  switch  from  not 
investing  to  investing  to  avoid  the  attacker,  since  Equation 
(10)  holds.  Thus,  if  User  2  invests  and  moves  from  Hj  to  H2 
the  attacker  prefers  to  switch  his  strategy  from  A2  to  A3 
because  (1)  and  (3).  Lastly,  since  the  attacker  is  now  playing 
A3  the  defender  will  want  to  switch  from  investing  to  not 
investing  in  order  to  avoid  an  indirect  compromising  of  virtual 
machines.  As  a  result,  these  four  strategy  profiles  circulate 
among  each  other  indefinitely  with  no  final  stoppage  point. 
This  shows  that  there  is  no  pure  Nash  equilibrium  (because 
there  is  no  strategy  in  which  both  players  will  remain  for 
certain)  but  rather  a  strategy  profile  of  each  player  that  plays  a 
given  strategy  probabilistically. 

Remark:  Note  that  this  circulation  of  strategies  does  not 
include  A]  as  a  strategy  for  the  attacker,  showing  that  this 
strategy  will  never  be  an  optimum  for  the  attacker  and  thus 
never  played.  The  remaining  4  choices  ((A2,  A),  (A2, 1)  ( A3 ,  N ), 
A3,  I))  that  result  will  be  the  payoffs  that  are  used  to  calculate 
mixed  Nash  equilibrium. 

At  the  mixed  Nash  equilibrium,  User  2  must  randomize  in 
such  a  way  that  the  attacker  is  indifferent  to  choosing  either 
strategy,  or  Ua(A2)  =  Ua(A3).  Let  a  be  the  probability  by  which 
User  2  choose  N.  This  gives: 

Ua(A2)=  a{qNl2  +  q^Lj  +  (1  -  a)(q,L2  +  q,nl3)  (12) 
Ua(A3)=  a(q,L3 )  +  (1  -  a)(q,L3  +  q,nl2)  (13) 

As  stated,  in  order  to  find  a  we  must  equalize  these  two 
functions  and  solve.  This  gives: 

<?;[(Z,3+7rZ,2)-(L2  +  7rL3)] 

ct  = -  (14) 

qN{l2  +  nLJ  -  q,(L2  +  nl3)  +  q,nL2 

which  means  that  User  2  will  play  strategy  N  with 
probability  a  and  I  with  probability  (1  —  a). 

We  will  now  examine  the  attacker’s  mixed  Nash 
equilibrium  by  letting  /?(A2 )  +  (1  —  /3)(A3)  being  the  strategy 
of  the  attacker.  Given  this,  we  can  see  that 


Ud(N)  =  P(R  -  qNL2 )  +  (1  -  /?)(/?)  (15) 

Ud(I)  =  —  e  —  q,L2)  +  (1  -  MR  -  e  -  q,nL2)  (16) 

At  the  mixed  Nash  equilibrium,  the  attacker  must 
randomize  in  such  a  way  that  the  defender  (User  2)  is 
indifferent  to  choosing  either  strategy.  Equalizing  these  two 
equations  and  solving  out  for  ft  leaves  us  with: 

(e  +  qjnLn) 

B  = - - - - — - -  (17) 

QnL  2  —  <7/^2  (1  —  n) 

Next,  It  is  straightforward  to  verify  that  0  <  a  <  1  and 
0  <  /?  <  1  in  all  instances  so  there  is  no  case  in  which  any 
values  produce  an  inappropriate  value  for  a  or  /? .  We  will 
extend  this  model’s  scope  beyond  three  users  and  its 
implications. 


VI.  Model  Extention  &  Discussion 

For  our  model  extension,  all  our  previously  stated 
assumptions  remain  in  place  except  the  number  of  users  is 
now  increased  to  n.  The  number  of  hypervisors  remains  at 
two.  In  practice,  there  is  a  one  to  one  mapping  of  hypervisors 
to  physical  servers,  so  with  m  hypervisors  cloud  clients  can 
pay  for  increasingly  structured  levels  of  security,  with  H3 
being  the  least  secure  and  Hm  being  the  most  secure.  The 
reasoning  we  applied  for  two  hypervisors  is  the  same  for  m 
hypervisors. 

One  of  the  main  results  that  we  can  draw  from  n  users  is 
that  among  all  the  n  users  there  will  only  be  one  discrete  user 
in  which  they  alone  will  make  a  decision  as  to  which 
hypervisor  they  allocate,  i.e.,  all  other  users  will  remain  static 
in  their  allocation  choice  regardless  of  the  number  of  players. 
This  is  why  User  1  and  User  3  were  statically  placed  in  H3  and 
H2,  respectively.  The  observation  behind  this  is  as  follows: 
there  exists  only  one  user  who  will  sit  on  the  threshold  of 
choosing  between  investing  in  security  and  not  investing  in 
security  because  all  other  users’  expected  loss  magnitudes 
balance  out.  This  makes  this  user  unique;  unlike  the  other 
users,  this  one  is  unable  to  choose  between  invest  or  not 
invest  in  a  binary  sense,  since  whatever  hypervisor  the  user 
chooses  to  allocate  will  be  attacked  because  the  user  will  ‘tip’ 
the  payoff  for  the  attacker  in  that  direction.  This  gives  rise  to 
this  unique  player  having  a  mixed  Nash  equilibrium  whereas 
all  other  players  have  pure,  and  static,  Nash  equilibrium. 

Since  the  attacker  will  always  attack  the  ‘largest’  player  in 
the  targeted  hypervisor,  if  the  unique  user  were  to  allocate  to 
Hj ,  the  unique  user  will  be  the  direct  victim  of  the  attack  since 
by  default  it  will  be  the  largest  player  on  H3.  This  is  because 
all  players  will  be  grouped  by  loss  potential  on  the  hypervisors 
since  a  small  loss  gap  between  players  will  minimize  the 
externality  imposed  on  each  other  and  thus  maximize  security. 
This  is  a  well  studied  problem  in  game  theory  and  is  known  as 
Hotelling’s  Law  [14].  In  this  context,  players  are  self  grouping 
by  potential  maximum  loss.  Thus,  having  the  largest  and 
smallest  potential  loss  players  grouped  on  one  hypervisor  and 
all  of  the  in  between  potential  loss  players  on  another 
hypervisor  is  not  observed;  rather,  players  will  be  will  be 
allocated  with  other  users  with  similar  total  loss  potentials. 

Formally,  for  a  game  having  n  players  and  with  critical 
User  /  (7  <  l  <  n),  Users  1,  2  ...  I  1  will  be  located  on  H)  and 
Users  l+l,  1+2...  n  1,  n  will  be  located  on  H2.  If  User  / 
chooses  to  allocate  to  Hb  then  he  will  be  the  direct  target  of 
the  attack.  If  he  chooses  to  allocate  to  H2,  then  User  n  will  be 
the  direct  target  and  User  /  merely  becomes  an  indirect  target 
by  factor  n.  Thus,  in  order  for  a  user  to  be  the  pivotal  user,  the 
following  two  equations  must  be  satisfied: 
qNnlx  +  •••  +qNnLl  ±  +  qNLt  >  q^L^  +  •••  +  q7Ln  (18) 
qNnLi  h — \-qNLm  i 

<  qi^Lm  +  qi^Lyn+l  4 - b  7/^n  1  +  7/^n  (19) 

As  can  be  seen,  the  pivotal  user  shifts  the  inequality  and  thus 
the  where  the  attacker  will  focus  his  attack.  Furthermore,  we 
can  verify  that  User  1  and  n  will  always  choose  to  not  invest 
(//?)  and  invest  (//2),  respectively  if  the  range  of  e  is  as 

Li(.Rn  -  Rik)  <  e  <Ln(qN  -  q,)  (20) 
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VII.  Numerical  Results  and  Analysis 

The  game  analysis  provides  an  in  depth  explanation  of  the 
pure  and  mixed  Nash  equilibria.  Our  key  variables  in  the 
analysis  were  R,  qN,  qh  L1,  L2,  L3,  n  and  e.  We  show  how 
User  2’s  payoff  changes  with  respect  to  a  change  in  some 
selected  variables,  and  how  sometimes  after  a  certain 
threshold  is  passed  that  the  equilibrium  may  shift. 

A.  Changes  in  User  2’s  payoff  with  respect  to  L2 

In  this  first  section  we  provide  to  set  specific  values  for  all 
of  the  aforementioned  constants  save  for  L2  and  graph  the 
results.  For  our  first  example  we  will  take  R  =  1.5,  q7  =  .1, 
qN  =  A,  n  =  .1,  Lt  =  1,  L3  =  100,  and  e  =  A  .  Using 
Equation  20,  we  see  that .  39  <  e  <  30,  so  this  verifies  that  e 
is  an  appropriate  value.  Looking  at  Figure  1,  we  can  see  the 
payoff  of  User  2  change  as  l2  increases. 


Changes  in  User2’s  Payoff  wth  His  Potential  Loss  L2 
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Figure  1:  Changes  in  User  2’s  Payoff  with  his  Potential  Loss  L2. 

The  first  thing  we  can  immediately  see  is  that  there  is  a 
strategy  change  from  ( A3 ,  N)  to  mixed  Nash  equilibrium  at  L2 
=  24.9.  This  is  because  from  1  <  L2<  24.9,  the  condition  for 
pure  Nash  equilibrium  is  satisfied  (4)  up  until  24.9.  After  that, 
Equation  (4)  is  falsified,  all  3  conditions  of  mixed  Nash 
equilibrium  are  fulfilled,  and  thus  a  strategy  change  occurs  at 
this  point.  Notice  that  as  L2  approaches  the  value  of  L3,  there 
is  diminishing  payoff  from  using  the  cloud  and  even  turns 
negative  at  L2  ^  77  for  the  given  value  of  R.  In  fact,  as  L2 
increases,  a  and  /?  decrease  and  User  2  Invests  less  often. 
However,  the  frequency  of  direct  attack  on  User  2  increases  to 
cause  the  decrease  on  User  2’s  payoff.  The  implications  of  a 
negative  payoff  is  that  after  reaching  a  negative  payoff,  User  2 
will  completely  opt  out  of  using  cloud  services. 

B.  Changes  in  User  2’s  payoff  with  respect  to  e 

Moving  onto  Figure  2,  we  hold  all  of  the  same  values  as 
before  except  we  set  L2  =  10,  L3  =  20  and  graph  the  applicable 
value  of  e  with  respect  to  changing  payoff. 


Expense  on  Security 


Figure  2:  Changes  in  User  2’s  Payoff  with  Expense  e. 


Too  high  of  a  value  for  L3  will  always  result  in  profile  ( A3 , 
N),  so  therefore  the  potential  loss  values  will  be  more  closely 
clustered  in  this  example.  As  shown  before,  the  range  for  e  is 
given  in  Equation  (20)  which  results  in  .  39  <  e  <  6.  This  will 
be  our  range  for  the  x  axis.  We  can  see  a  strategy  change  from 
mixed  Nash  equilibrium  to  pure  Nash  at  e  =  3 .  This  is 
intuitive  since  after  that  threshold,  the  choice  of  investing  for 
User  2  becomes  too  expensive  and  unfeasible  and  thus  the 
pure  Nash  equilibrium  {A2,  N)  results.  Note  that  User  2  will 
not  invest  in  cloud  security  at  this  Nash  equilibrium  even 
though  they  know  they  are  a  direct  target  of  the  attacker. 
Furthermore,  for  the  selected  value  of  R  User  2  will  not  use  of 
cloud  services  at  all  unless  there  is  a  low  value  of  e 
(specifically  e  =  1.213). 

C.  Changes  in  User  2’s  payoff  with  respect  to  n 

Figure  3  shows  the  changing  payoff  of  User  2  as  we 
change  the  probability  of  compromising  the  hypervisor,  n.  We 
use  the  same  values  as  set  in  analysis  B,  change  n  from  a 
constant  to  a  variable,  and  set  e  =  A. 


Figure  3:  Changes  in  User  2’s  Payoff  with  Probability  n. 

It  is  apparent  that  there  is  no  shift  in  Nash  equilibrium 
across  all  values  of  0  <  n  <  1  .  These  results  are  not 
surprising,  as  an  increasing  n  only  slightly  increases  the 
externality  imposed  onto  User  2  by  other  users.  The  increasing 
externality  problem  imposed  by  an  increasing  n  does  not  pose 
a  significant  difference  to  change  any  strategies  of  the  player. 
This  is  a  very  significant  discovery  since  in  [1]  there  was  a 
Nash  equilibrium  shift  if  n  reached  a  certain  threshold  but  in 
this  analysis  it  is  not  the  case,  thus  validating  one  of  the  main 
aims  of  this  research  to  reduce  the  externality  imposed  onto 
one  user  by  another.  However,  it  is  possible  that  n  may  shift 
the  Nash  equilibrium  this  only  in  exceptional  cases  in  which 
the  conditions  for  two  different  Nash  equilibria  are  very  close 
to  being  met.  One  instance  is  that  if  L3  &  —  (L2  +  nL±),  then 

Qi 

n  may  shift  the  inequality  either  way  and  thus  change  the 
Nash  equilibrium.  In  most  cases,  the  Nash  equilibrium  will  not 
change  from  the  initial  conditions  and  is  a  very  positive  sign 
that  this  security  based  allocation  will  have  an  effect  of 
mitigating  the  externality  problem. 

It  is  apparent  that  a  direct  attack  is  much  more  of  an 
importance  when  deciding  where  to  allocate.  As  we  will  see  in 
the  next  variable  analysis,  the  —  ratio  is  also  very  important  in 
determining  the  prevalent  Nash  equilibrium. 

D.  Changes  in  User  2’s  payoff  with  respect  to  qj 

For  this  section  we  will  take  R  =  1.5,  qN  =  .5,  n  =  .1, 
Li  =  1,  L2  —  10,  L3  =  20,  and  e  =  .4. 
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(same  values  in  part  B  and  C  except  for  qN ),  using  q7  as  a 
variable.  We  take  0  <  q7  <  .5  (since  c/7  <  qN)  and  the  results 
can  be  seen  on  Figure  4.  For  small  values  of  qh  the  pure  Nash 
profile  (Aj,  I)  exists.  This  makes  sense  since  if  the  probability 
for  compromising  a  VM  on  the  secure  hypervisor  was  too  low 
as  to  discourage  any  type  of  attack,  then  it  would  be  a  higher 
payoff  for  the  attacker  to  target  those  users  who  chose  to  not 
invest. 


Changes  in  User2's  Payoff  wth  Probability  qi 


Figure  4:  Changes  in  User  2’s  Payoff  with  probability  g7. 

At  qj  ^.0238,  the  Nash  equilibrium  changes  to  a  mixed 
strategy  and  then  changes  again  to  the  pure  Nash  equilibrium 
( A3 ,  N)  at  q7  ^.2525.  This  second  switch  of  Nash  equilibria 
also  is  feasible  since  as  the  —  ratio  becomes  closer  to  1, the  — 

°lN  L2 

ratio  becomes  more  a  dominant  factor  in  the  calculations  and 
at  the  second  threshold  the  disparity  becomes  so  large  such 
that  L3  »  L2  and  the  switch  to  strategy  profile  ( A3: ,  N)  occurs. 

E.  Model  Extension  to  n  =  10  users 

In  this  section  we  will  continue  our  model  extension  and  not 
limit  our  discussion  to  simply  three  players.  We  will  take 
R  =  1.5,  qN  =  .4,  qN  =  .1,  n  =  .1,  e  =  .4  as  before  and,  per 
section  VI,  set  the  number  of  users  as  n  =  10.  For  all  of  our 
potential  loss  values,  we  will  use  L1  =  1,  L2  =  2,  L3  = 
3,  L4  =  4,  L5  =  5,  L6  =  6,  L7  =  7,Lq  =  8,  L9  =  9,  L10  = 

10. 

Our  next  step  is  to  find  which  of  the  ten  users  the  pivotal 
user  is  while  the  remaining  nine  stay  static.  Thus,  we  must 
find  the  user  such  that  Equations  (18)  and  (19)  are  true. 

By  calculating  individual  potential  losses,  we  find  that 
User  4  is  the  pivotal  user. 

Using  Equation  (20),  we  find  that  .  39  <  e  <  3  which 
shows  our  selected  value  of  e  is  within  the  restricted  range.  It 
is  important  to  note  that  the  value  of  e  will  have  a  strong 
influence  on  the  prevailing  Nash  equilibrium.  If .  39  >  e  then 
the  price  for  security  would  be  so  inexpensive  that  it  would  be 
logical  for  all  users  (1  10)  to  allocate  to  H2.  If  e  >  3  then  the 
security  would  be  so  expensive  such  that  no  user  would  want 
to  invest  in  security  (and  all  will  as  a  result  allocate  to  Hj). 
Within  the  allowable  range  given  by  (26)  there  is  some 
interesting  results.  From  .39  <  e  <  1.56  there  will  be  a 
mixed  strategy  in  which  User  4  will  have  a  mixed  Nash 
equilibrium  while  all  other  users  will  remain  in  their 
respective  hypervisors.  (Uh  U2,  and  U3  allocate  to  Hj  while 
U5,  U6,  U7,  Ug,  U9,  and  U10  allocate  to  H2).  The  threshold  of 
1.56  is  determined  by  the  maximum  value  in  which  User  4 
will  potentially  still  pay  for  security.  Past  this  point,  investing 
in  security  will  become  too  expensive  and  thus  1.56  <  e  <  3 


will  result  in  a  pure  Nash  equilibrium  in  which  Uh  U2,  U3,  and 
U4  allocating  to  //7  while  all  other  users  allocate  to  H2. 

To  further  show  the  critical  role  of  User  4,  we  have 
diagrammed  the  changing  payoff  structure  for  the  attacker  on 
Figure  5  as  the  number  of  users  of  each  hypervisor  changes. 


Figure  5:  Change  in  attacker’s  Payoff  with  the  Number  of  Users  on 
the  attacked  hypervisor. 

As  can  be  seen,  one  line  (blue)  represents  the  attacker 
payoff  for  attacking  Hh  and  another  (red)  shows  the  attacker 
payoff  for  attacking  H2.  For  example,  the  payoff  for  the 
attacker  targeting  H2  if  all  users  are  located  on  H3  is  0.  If  there 
is  1  user  on  H2  (by  default  User  10),  then  the  attackers  payoff 
is  q7L10  ,  which  is  1.0.  As  the  number  of  users  on  the 
hypervisor  increases,  the  attacker  payoff  increases.  The 
opposite  will  be  true  if  the  number  of  players  decreases. 

We  can  see  that  the  payoffs  for  each  strategy  (attacking  Ht 
versus  attacking  H2)  intersect  between  when  there  are  three 
and  four  players  on  H3  and  the  remaining  players  on  H2,  which 
corresponds  to  User  4  as  pivoting  user.  This  means  that  at  this 
point  the  attacker  becomes  aware  of  which  hypervisor  User  4 
has  allocated,  since  User  4’ s  hypervisor  allocation  stems  from 
pursuit  of  a  higher  payoff.  As  stated  before,  the  strategy  that 
U4  chooses  will  depend  on  the  prevailing  value  of  e.  Since 
e  =  .4,  we  will  have  a  mixed  Nash  equilibrium. 

In  Figure  6  we  show  the  reduced  externality  from  the 
mixed  strategy  placement  of  User  4  and  the  optimum 
placement  of  the  other  users. 


Figure  6:  Externality  Based  on  Selected  Allocation  Types 

The  first  and  second  bars  represent  the  total  externality  if 
all  users  were  placed  on  //7  and  H2,  respectively.  This  was 
calculated  by  adding  all  the  payoffs  of  the  attacker  that 
contained  a  factor  of  n.  So  the  externality  of  all  users  on  H2 
was  calculated  as  the  sum  of  qInL9  +  — I-  q7 nL1  and  Hj 
similarly.  This  would  be  an  externality  for  a  fairly  common 
allocation  method  such  as  for  power  consumption  where  all 
users  are  clustered  on  as  few  hypervisors  as  possible.  The 
third  bar  represents  the  externality  from  five  VM’s  located  on 
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//?  and  H2  each,  which  is  supposed  to  represent  another 
common  allocation  method:  load  balancing.  Given  our  initial 
conditions,  the  attacker  would  attack  ///  with  probability  1  and 
thus  the  externality  is  calculated  as 
qNnL±  +  qNnL2+qNnL3  +  qNnL4.  With  five  users  on  Hu  the 
largest  user  (U5)  will  be  the  direct  target  while  all  other 
players  will  be  calculated  in  the  externality  Figure  since  they 
are  all  indirect  targets. 

The  fourth  bar  shows  the  externality  imposed  onto  other 
users  in  the  instance  of  the  mixed  Nash  equilibrium.  As  can  be 
seen,  the  negative  externality  is  significantly  reduced 
compared  to  both  power  consumption  and  load  balancing 
allocation  methods,  to  the  magnitude  of  20%  externality 
reduction  from  the  second  closest  value  (bar  three). 

The  fifth  bar  shows  the  externality  imposed  onto  other 
users  when  using  random  placement,  which  is  a  common  VM 
allocation  method.  This  value  was  determined  by  randomly 
allocating  the  VM’s  among  ///  and  H2  10  times  and  averaging 
the  result.  This  allocation  is  the  worst  except  for  placing  all 
users  in  the  less  secure  hypervisor  Hh  Our  proposed  allocation 
method  based  on  mixed  strategy  Nash  equilibrium  has  125% 
externality  reduction  as  compared  to  the  random  allocation 
method. 

VIII.  Concluding  Remarks 

The  unique  properties  of  a  cloud  computing  structure  can 
allow  for  new  avenues  of  attack.  One  of  the  issues  presented 
was  the  one  of  externality,  where  one  user’s  lack  of  security 
may  affect  another  who  has  significantly  more  to  lose.  The 
paper  in  [1]  presented  the  externality  problem  within  the 
context  of  game  theory,  and  this  paper  aimed  to  solve  it.  By 
allowing  users  to  allocate  to  hypervisors  based  on  whether 
they  have  invested  in  security  or  not,  we  can  reduce  a  negative 
externality  that  users  may  impose  on  each  other.  In  allowing 
this  type  of  allocation  over  traditional  means,  such  as  load 
balancing  or  energy  optimization,  we  observe  that  users  will 
cluster  to  the  same  hypervisor  as  other  users  based  on  the  most 
similar  loss  potentials  in  order  to  minimize  the  negative 
interdependent  effects.  Additionally,  we  have  shown  that  with 
this  type  of  VM  allocation  mechanism,  there  is  no  significant 
strategy  change  with  respect  to  the  value  of  n,  which  is  further 
proof  that  the  negative  externalities  in  this  model  are 
mitigated.  This  remains  true  even  at  extreme  values  such  as  n 
~  0  or  n  «  1 .  These  findings  are  supported  in  Figure  6  by 
showing  that  our  allocation  method  resulted  in  the  lowest 
amount  of  externality  by  a  fair  margin. 

Thus,  the  Nash  equilibrium  strategy  is  more  susceptible  to 
the  initial  conditions  such  as  the  potential  loss  the  users  face 
or  the  cost  of  investment.  It  is  apparent  that  the  value  of  e 
plays  a  crucial  role  in  determining  the  Nash  equilibrium  as 
shown  in  section  E  of  the  Numerical  Results.  For  cloud 
providers,  this  information  is  very  useful  in  that  they  may  set 
the  value  of  e  and  pre  determine  the  Nash  equilibrium  best 
suited  for  the  maximum  level  of  security  and  minimized 
externality.  For  the  end  users,  knowledge  of  these  values  can 
be  crucial  in  examining  whether  the  cloud  is  a  useful  tool  to 
use  for  reducing  cost  or  a  concept  that  has  yet  to  prove  its 


worth  due  to  its  subtle  yet  inherent  dangers.  Our  future  work 
will  consider  incomplete  information  games  where  the  users 
do  not  know  the  magnitude  of  other  players’  expected  loss. 
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